The Data Protection and Digital Information Bill: what's in store?
The proposed new data protection legislation has now been published in draft and it has had a re-brand: the Data Protection and Digital Information Bill (the DPDI Bill) is here. Charlotte Clayson looks at what this might mean in practice.
What's it all about?
The contents of the DPDI Bill had been trailed in the Government's response to the results of its "Data: a new direction" consultation, which saw the Government trying to forge its own path in a post-Brexit world, create an 'attractive global data marketplace' and 'unlock the power of data'. Now we have some flesh on the bones of the proposals and the direction the Government wants to take. Sadly for those of us who anticipated the DPDI Bill bringing together the new proposals, the current DPA 2018 and the UK GDPR in one place, we're out of luck. The DPDI Bill is structured so as to amend the DPA 2018 and the UK GDPR, meaning that practitioners will have various pieces of legislation to work through and interpret.
Format and structure aside, there's a lot to unpack in the DPDI Bill, some of which will affect particular sectors and organisations more than others. We'll be publishing further thoughts and analysis as the DPDI Bill progresses through Parliament to a more final form but in the meantime, we set out the key changes below.
What is Personal Data?
A new codified definition of what constitutes 'personal data' has been included and which may provide more certainty to individuals and organisations alike as to the scope of personal data, and how widely it can and should be interpreted. The DPDI stipulates that data will only be 'personal data' if it relates to a living individual who can be identified either directly or indirectly in two specific circumstances:
- where they are identifiable by the organisation at the time of processing by 'reasonable means' or
- where the organisation 'knows or ought reasonably to know' that a third party will (or be likely to) obtain information which will result in the individual being identifiable by 'reasonable means'.
This puts the focus on who the organisation can identify, or who they reasonably anticipate might be able to identify the individual. Understanding what 'reasonable means' might be used to identify someone, will require consideration of the time, effort, costs, technology and other resources required and available to that person. For those who are working on anonymising data and may not be able to assure themselves that data is anonymised completely beyond reach, the 'reasonable means' test may be helpful.
Organisations have used the 'legitimate interests' processing condition for some time to legitimise a wide range of personal data usage. Whilst the condition under the current legislation is very flexible, it also requires organisations to undertake a legitimate interest assessment, which can be an administrative burden for many. As trailed in the consultation responses, the DPDI Bill is proposing a 'safe harbour' of activities that are identified as a recognised legitimate interest. These will have their own, new, processing condition.
However, the list of recognised legitimate interests is currently fairly narrow in scope and will be of most relevance to those already acting in the public interest, recognising issues such as national security, emergencies, crime, and safeguarding. There are currently no corresponding recognised legitimate interests for organisations in their 'business as usual' activities, although the Secretary of State does have the power to add to or amend the current list.
Re-using personal data
When considering whether the use of personal data for a new purpose is lawful, the DPDI Bill provides a non-exhaustive list of factors which may be taken into account. In particular organisations may consider factors such as:
- the link between the old and new purpose for processing;
- the context in which the data was collected, including the relationship between the individual and the organisation;
- the nature of the personal data and particularly whether it is special category or otherwise sensitive (for example, data relating to criminal convictions);
- the possible consequences of the re-use of personal data; and
- whether safeguards such as encryption or pseudonymisation exist to protect the data.
In addition, the DPDI Bill sets out specific situations where the re-use of personal data will be considered lawful, including where the data subject has consented to the re-use; where processing is for the purposes of scientific or historical research, for public interest archiving or for statistical purposes; public security; emergencies and crime.
Data Subject Rights
Data Subject Rights are a fundamental to the data protection legislation: that is not going to change. But the Government appears to recognise the extraordinary administrative and resource strain that dealing with these – and most commonly, DSARs - can have. The DPDI Bill looks to make it easier for organisations to refuse to comply with a request, or comply only after receiving a reasonable fee, where those requests are 'vexatious or excessive'.
The burden is on the organisation to demonstrate that it a request is vexatious or excessive, having regard to all the circumstances. This may include: the nature of the request and the relationship between them and the individual; the resources available to the organisation; and the extent to which there is repetition or overlap with previous requests. The DPDI Bill also provides that those that are intended to cause distress, are not made in good faith, or are an abuse of process will be considered as vexatious or excessive.
When considering these requests, organisations have traditionally been 'purpose blind', looking only at the request, and not the general context. At a time where we are seeing an increasing number of Subject Access Request being routinely deployed as a way to obtain early disclosure in the context of civil litigation or formal complaints, this may be a useful tool – particularly where organisations are able to take their resources into account. We await any further guidance and information as to how this is intended to work in practice.
AI and Automated decision making
With a focus on the UK becoming a hub for innovation, the DPDI Bill seems to recognise the need to allow organisations to use and embed AI and automated decision-making processes to drive efficiencies in service delivery. The extent to which organisations can use automated decision making has now been clarified.
If a decision is one that produces a legal, or similarly significant, effect for the individual and involves the processing of special category data, it cannot (other than in very specific circumstances) be taken solely on an 'automated decision basis', i.e. a decision with no 'meaningful' human involvement. However, where special category data is not involved, automated decision making can be used, subject to specific safeguards that will protect the rights and freedoms of the individual. These safeguards include the organisation: providing information about the decisions; enabling the individual to make representations about the decision and obtain human intervention; and enabling the individual to contest those decisions.
The concept of DPOs is to be scrapped and replaced with 'Senior Responsible Individuals' (SRI). The SRI will still be protected from dismissal in the same way as current DPOs and whilst the listed tasks for which they are responsible differs from the current legislation, we expect these to be broadly similar to those that DPOs are responsible for in practice.
Interestingly, the SRI must be part of the senior management of the organisation, which means they must play significant role in the organisation's decision making. These types of individuals have tended not to be designated as DPOs under the current legislation given the risks of conflicts of interest arising, although we note that the DPDI Bill states that some of the SRI's tasks may be undertaken by a third party where there would otherwise be a conflict of interests.
There will need to be further consideration of the final wording of the DPDI Bill and any relevant guidance to understand and clarify the extent to which organisations who have a DPO in place already will need to think again about who they appoint, and whether an entirely outsourced DPO function will be permissible.
Impact Assessments and Record keeping
Whilst the concept of a Privacy Management Programme does not appear by name, as part of the drive to reduce the administrative burdens for organisations, the DPDI Bill introduces a new streamlined and risk-based approach to the concept of Data Protection Impact Assessments and Records of Processing Activities, which have now both been scrapped.
In their place, DPIAs are given the catchy title of 'Assessments of High Risk Processing', and although they must still be undertaken in circumstances where the processing is likely to result in a high risk to the rights and freedoms of the individual, organisations are now left to assess this for themselves rather than being mandated in certain circumstances. The assessment will be evidenced by a document setting out a summary of the processing purposes; whether the processing is really necessary to achieve those purposes; the risks posed to individuals and how those risks might be mitigated.
As for Records of Processing Activities, these are replaced with an overarching obligation on organisations to maintain 'appropriate records', which will include information about where the data is held (including whether it is held outside of the UK), the purposes for which it is processed, who the organisation shares, or intends to share, the data with, how long it is likely to be stored, and whether it includes any special category or criminal records data. 'Where possible' organisations should also include information about how it ensures the data is secured.
What is 'appropriate' record keeping for each organisation will be flexible and very much depend on the risks associated with that organisation's processing activities and – importantly – their available resources. This streamlined version of record keeping will be welcomed by many organisations, particularly smaller organisations and SMEs.
International Data Transfers
As anticipated, the DPDI Bill updates the arrangements for transferring personal data outside of the UK. This is considered to be a key issue that may impact on the EU's adequacy decision for the UK. Whilst the Government’s view is that reform of the legislation is 'compatible with the EU maintaining free flow of personal data from Europe', we will be keeping a close watching brief on this.
An organisation will be able to transfer personal data outside of the UK provided that it is sanctioned by the UK's version of adequacy decisions, it is transferred subject to 'appropriate safeguards', or in special circumstances, provided that the transfer complies with the legislation more generally.
A new 'data protection test' is set out which allows a more holistic and flexible approach to understanding risk than under current legislation. The test will be used by the Government to identify countries which will be granted its version of an adequacy decision. It will also be used by organisations to assess the risk of transferring data when using designated safeguards (such as standard contractual clauses) in the absence of an adequacy decision. Organisations must act 'reasonably and proportionately' in considering whether the data protection test is met.
The data protection test is met if the standard of protection provided to individuals in that country (or organisation) is 'not materially lower' than the standards provided under the UK legislation. This is quite a change, and may be significant for both the EU's adequacy decision and the Government's wish to ensure reciprocal data transfers with the US. In considering whether the data protection test is met, the following factors should be considered:
- respect for the rule of law and for human rights and any relevant international obligations;
- the existence of a data protection regulator and the extent of their enforcement powers;
- arrangements for redress by individuals, either through the courts or otherwise; and
- the constitution, traditions and culture of the country in question.
The Information Commissioner
The Information Commissioner will be rebranded as the 'Information Commission' as it moves towards a more corporate structure similar to other regulators such as Ofcom and the FCA.
The Information Commission will have the principal objective of securing an appropriate level of protection, and promoting public trust and confidence, in the processing of personal data. Whilst that is not particularly controversial, the DPDI Bill has gone forward with proposals which complement the Government's drive to become a leading centre for tech and innovation. To that end, when carrying out its functions the new Information Commission must have regard to matters including the 'desirability of promoting innovation and competition'. We wait to see how that plays out in practice, particularly with the Government now having a say in what the Information Commission's strategic priorities will be.
The Information Commission will also have new enforcement powers to add to its armoury, including the power to require documents, information and reports to be produced, and the ability to compel individuals to attend an interview.
The DPDI Bill also proposes an initial hurdle to be overcome before individuals can ask the Information Commission to investigate a breach of the legislation.
Organisations will be required to facilitate the making of complaints through a complaints form. As part of that complaint process, the complaint should be acknowledged within 30 days of receipt, and within 45 days the organisation must investigate the complaint, inform the complainant about its progress and notify the complainant of the outcome.
If the 45 day time period has not yet concluded, or no complaint has first been made to the organisation in question in line with their own complaints process, the Information Commission may refuse to investigate. The Information Commission may also refuse to investigate if it considers the complaint to be vexatious or excessive. Any refusal by the Information Commissioner to investigate may also be appealed to the First Tier Tribunal.
Organisations may also be required to notify the Information Commission of the number of complaints it has received within a particular period.
It remains to be seen whether this two-stage complaint process will be welcomed by organisations in practice. On one hand, it delays any unnecessary involvement by the regulator, particularly if matters can be resolved internally first. However, it also potentially adds an administrative and resource burden to already overstretched teams dealing with data protection compliance, and may see further satellite litigation as disgruntled individuals appeal any refusal to investigate.
Other key developments
- Research – in a drive to support research and innovation, further clarification is given to the meaning of processing for the purposes of research and statistics, and the DPDI Bill provides additional safeguards for the processing of personal data for research, archiving or statistical purposes.
- Digital Verification Framework – the DPDI Bill sets up a framework within which digital identities can be verified, and the safeguards that will need to be in place. Further information is expected in due course around the provision of these digital verification services.
- Data Sharing – the DPDI Bill facilitates further sharing of data with the aim of making both the public and private sector work more efficiently and improve the delivery of public services.
- Cookies – in an attempt to move away from cookie consent requests appearing on every website, the DPDI Bill permits cookies not only where the individual has consented to them, but also where – for example - they are used solely to collect statistical information with a view to making improvements to services or the website itself, and the individual has been given the opportunity to object.
- PECR penalties – as anticipated the DPDI Bill makes provision to increase the maximum penalty for breaches of PECR, including around nuisance calls, to fall in line with those under the UK GDPR and DPA 2018
The DPDI Bill was introduced very shortly before the summer recess, in a period of flux for the current Government, and at a similar time to the ICO publishing its new strategic plan, ICO25. The second reading of the DPDI Bill is due to take place in Autumn, and how quickly that proceeds, and the extent to which it is amended, will depend in part on who wins the race to be the next leader of the Conservative Party. Rishi Sunak in particular has vowed that reform of the data protection landscape will be one of his key priorities, and both Mr Sunak and Ms Truss have said that they are keen to remove many EU-derived laws from the statute books.
Regardless of who is leading the government after the summer recess, and whilst the DPDI Bill is more 'evolution' than 'revolution', there is still a lot to consider. Only when further guidance and commentary is provided on how it is intended to work in practice will organisations have a much clearer idea of how their current data protection practices will need to be amended to comply with the new legislation, and whether it really will deliver the more streamlined and less burdensome privacy framework that we have been promised.